This piece is part 4 of our ongoing series on IoT security. Don't forget to download the ebook to understand the IoT security gap and how your business needs to address it, today.
As we discussed way back in parts 2 and 3 of this series, when consequences aren't immediately apparent, responsibility isn't immediately taken. Without an incentive to take action, most IoT device manufacturers simply won't.
Who, then, is responsible for IoT security, if not the manufacturer? Is it the consumer? The enterprise? The government? In theory, the answer is some combination of all four. But in practice, the answer is a bit tougher to swallow. It's you.
The Responsibility Shift
We already talked about the many vulnerabilities created by the race to market, and by the lack of security expertise among manufacturers who are beginning to add networking and software stacks to connect their products. Devices are intended to be plug and play, set it and forget it. Therefore, default credentials are an issue. But network security for IoT is an issue, too, meaning you can't lay all of the blame on the device manufacturer.
"It’s a shared responsibility model," says Yolonda Smith, Pwnie Express director of product management. If you buy a Bluetooth app-connected stuffed animal, "you should look on the box and ask, 'how is this data stored? Do I have control over that data once it's stored?'" Some of the responsibility is the manufacturer's: the setup process should require you to change your username and password as soon as the device is powered on, for instance. "No one expects a consumer to ask if their device is talking to a certain server. But they do have a role in protecting their own data," says Smith.
"Consumers need to think of their data like it's money. That’s certainly how vendors and attackers alike treat it. They should protect their social security number like it's gold; ask if their phone number is absolutely necessary to get access to an application. If more consumers think of it that way, I think they’ll be much more considerate and careful about the tradeoffs they’re willing to make for the sake of a convenience or service." Smith suggests that voting with dollars is the security mentality to adopt, referring back to the CloudPets and Target examples: everyone expected these businesses to take monstrous financial hits when personal data leaked from their products and stores, but the outcome did not quite match the expectation.
So if consumers have a responsibility to vote with their dollars in the name of security, what happens when they don't make good on that responsibility? Where is the incentive for manufacturers to ever do the right thing?
"Exposure is a big incentive and a major driver of cultural change," says Smith. "Target did ultimately adopt each and every security control recommended post-breach. They regularly walk people through their cyber fusion center to show people how their data is being handled. They recognized they could take it and bury it or they could say, this is what we can do to improve. And that’s the incentive for the manufacturers."
When IoT devices are introduced into corporate environments, the purchaser or the security team has the ability and responsibility to say, "what is this device communicating with, and what's the context of that communication?" This information has major implications for revenue generation, and that is what takes precedence in a corporate environment. With IoT risk expanding beyond just data loss, safety and revenue are put at risk.
Even if employee data is stolen, many corporations won't change their purchasing policies or security parameters. But if the data happens to include the recipe for the next billion-dollar miracle drug? The incentive to protect is stronger.
That's generally the responsibility breakdown: Device manufacturers should care about life and safety — vulnerabilities in their devices can't be responsible for deaths; corporations should care about revenue generation and availability; consumers should care about privacy.
And what about the government? To be sure, quality policy creation and implementation are key players in IoT security success. Major regulatory bodies, including those within the United States government, must contribute to those endeavors.
Mostly, though, the end responsibility to protect the IoT devices and connections in your presence and therefore, yourself, your company and your dollars, falls on consumers, manufacturers and corporate security teams. Why, then, is the responsibility really just your own?
Because every single one of us has to be hyper aware of the unseen vulnerabilities in our environments, wherever and whatever that environment may be. If even just one individual is under-informed (a nurse, for example, using an unsecure bedside monitor on a hospital network) the results could jeopardize safety, revenue generation and privacy.
Policy creation goes a long way toward promoting awareness. Serious consequences do the same. The first should come first, so we can all mitigate the second.
For more on IoT security and how to fill the gaps as your business becomes ever more connected, read our eBook, The IoT Security Gap: What to Know, What to Do.